Domain 1 – Security and Risk Management

1. Within the realm of IT security, which of the following

combinations best defines risk?
A. Threat coupled with a breach
B. Threat coupled with a vulnerability
C. Vulnerability coupled with an attack
D. Threat coupled with a breach of security

Answer: B
 A vulnerability is a lack of a countermeasure or a weakness in a
countermeasure that is in place. A threat is any potential danger
that is associated with the exploitation of a vulnerability. The threat
is that someone, or something, will identify a specific vulnerability
and use it against the company or individual. A risk is the likelihood
of a threat agent exploiting a vulnerability and the corresponding
business impact.

2. When determining the value of an

intangible asset which is be BEST
approach?
A. Determine the physical storage costs and multiply
by the expected life of the company
B. With the assistance of a finance of accounting
professional determine how much profit the asset
has returned
C. Review the depreciation of the intangible asset over
the past three years.
D. Use the historical acquisition or development cost of
the intangible asset

Answer: B
Intangible asset value is challenging to determine. While there are
several ways to determine the value of an intangible asset, the best
approach involves seeking assistance from finance or accounting
professionals to determine the impact of the asset to the
organization.
 3. Qualitative risk assessment is
earmarked by which of the
following? A. Ease of implementation
and it can be completed by personnel
with a limited understanding of the risk
assessment process
B. Can be completed by personnel with a limited
understanding of the risk assessment process and
uses detailed metrics used for calculation of risk
C. Detailed metrics used for calculation of risk and
ease of implementation
D. Can be completed by personnel with a limited
understanding of the risk assessment process and
detailed metrics used for the calculation of risk

Answer: A
Qualitative risk assessments are a form of risk assessments that use
stratified forms of risk such as “high, moderate and low.” This
simplified approach allows for those not as familiar with risk
assessments the ability to perform risk assessments, which while
not as specific as quantitative assessments are still meaningful.

4. Single loss expectancy (SLE) is

calculated by using: A. Asset value
and annualized rate of occurrence
(ARO)
B. Asset value, local annual frequency estimate (LAFE),
and standard annual frequency estimate (SAFE)
C. Asset value and exposure factor
 D. Local annual frequency estimate and annualized rate
of occurrence

Answer: C
The formula for calculating SLE is SLE = asset value (in $) ×
exposure factor (loss in successful threat exploit, as %).

5. Consideration for which type of risk

assessment to perform includes all
of the following:
A. Culture of the organization, likelihood of exposure
and budget
B. Budget, capabilities of resources and likelihood of
exposure
C. Capabilities of resources, likelihood of exposure and
budget
D. Culture of the organization, budget, capabilities and
resources

Answer: D
It is expected that an organization will make a selection of the risk
assessment methodology, tools, and resources (including people)
that best fit its culture, personnel capabilities, budget, and timeline.

6. Security awareness training

includes: A. Legislated security
compliance objectives
B. Security roles and responsibilities for staff
C. The high-level outcome of vulnerability assessments
 D. Specialized curriculum assignments, coursework and
an accredited institution

Answer: B
Security awareness training is a method by which organizations can
inform employees about their roles, and expectations surrounding
their roles, in the observance of information security requirements.
Additionally, training provides guidance surrounding the
performance of particular security or risk management functions, as
well as providing information surrounding the security and risk
management functions in general.

7. What is the minimum and

customary practice of responsible
protection of assets that affects a community or
societal norm?
A. Due diligence
B. Risk mitigation
C. Asset protection
D. Due care

Answer: D
Due diligence is the act of investigating and understanding the risks
the company faces. A company practices due care by developing
security policies, procedures, and standards. Due care shows that a
company has taken responsibility for the activities that take place
within the corporation and has taken the necessary steps to help
protect the company, its resources, and employees from possible
risks. So due diligence is understanding the current threats and
risks and due care is implementing countermeasures to provide
 protection from those threats. If a company does not practice due
care and due diligence pertaining to the security of its assets, it can
be legally charged with negligence and held accountable for any
ramifications of that negligence.

8. Effective security management:

A. Achieves security at the lowest cost
B. Reduces risk to an acceptable level
C. Prioritizes security for new products D. Installs
patches in a timely manner

Answer: B
There will always be residual risk accepted by an organization,
and effective security management will minimize this risk to a level
that fits within the organization’s risk tolerance or risk profile.

9. Availability makes information

accessible by protecting from:
A. Denial of services, fires, floods, hurricanes, and
unauthorized transactions
B. Fires, floods, hurricanes, unauthorized transactions
and unreadable backup tapes
C. Unauthorized transactions, fires, floods, hurricanes
and unreadable backup tapes
D. Denial of services, fires, floods, and hurricanes and
unreadable backup tapes

Answer: D
 Availability is the principle that information is available and
accessible by users when needed. The two primary areas affecting
the availability of systems are (1) denial of service attacks and (2)
loss of service due to a disaster, which could be man-made or
natural.

11. Which phrase best defines a business

continuity/disaster recovery plan?
A. A set of plans for preventing a disaster.
B. An approved set of preparations and sufficient
procedures for responding to a disaster.
C. A set of preparations and procedures for responding
to a disaster without management approval.
D. The adequate preparations and procedures for the
continuation of all organization functions.

Answer: D
Business continuity planning (BCP) and Disaster recovery planning
(DRP) address the preparation, processes, and practices required to
ensure the preservation of the business in the face of major
disruptions to normal business operations.

12. Which of the following steps should be

performed first in a business impact
analysis (BIA)?
A. Identify all business units within an organization
B. Evaluate the impact of disruptive events
C. Estimate the Recovery Time Objectives (RTO)
D. Evaluate the criticality of business functions
Answer: A
The four cyclical steps in the BIA process are:

1. Gathering information;
2. Performing a vulnerability assessment;
3. Analyzing the information; and
4. Documenting the results and presenting the
recommendations.

The initial step of the BIA is identifying which business units are
critical to continuing an acceptable level of operations.

13. Tactical security plans are BEST used

to:
A. Establish high-level security policies
B. Enable enterprise/entity-wide security management
C. Reduce downtime
D. Deploy new security technology

Answer: D
Tactical plans provide the broad initiatives to support and achieve
the goals specified in the strategic plan. These initiatives may
include deployments such as establishing an electronic policy
development and distribution process, implementing robust change
control for the server environment, reducing vulnerabilities residing
on the servers using vulnerability management, implementing a
“hot site” disaster recovery program, or implementing an identity
management solution. These plans are more specific and may
consist of multiple projects to complete the effort. Tactical plans are
 shorter in length, such as 6 to 18 months to achieve a specific
security goal of the company.

14. Who is accountable for implementing

information security?
A. Everyone
B. Senior management
C. Security officer
D. Data owners

Answer: C
The security officer must work with the application development
managers to ensure that security is considered in the project cost
during each phase of development (analysis, design, development,
testing, implementation, and post implementation). To facilitate this
best from an independence perspective, the security officer should
not report to application development.

15. Security is likely to be most expensive

when addressed in which
phase?
A. Design
B. Rapid prototyping
C. Testing
D. Implementation

Answer: D
Security is much less expensive when it is built into the application
design versus added as an afterthought at or after implementation.
 16. Information systems auditors help the
organization:
A. Mitigate compliance issues
B. Establish an effective control environment
C. Identify control gaps
D. Address information technology for financial
statements

Answer: C
Auditors provide an essential role for maintaining and improving
information security. They provide an independent view of the
design, effectiveness, and implementation of controls. The results of
audits generate findings that require management response and
corrective action plans to resolve the issue and mitigate the risk.

17. The Facilitated Risk Analysis Process

(FRAP)
A. makes a base assumption that a broad risk
assessment is the most efficient way to
determine risk in a system, business segment,
application or process.
B. makes a base assumption that a narrow risk
assessment is the most efficient way to
determine risk in a system, business segment,
application or process.
C. makes a base assumption that a narrow risk
assessment is the least efficient way to
determine risk in a system, business segment,
application or process.
 D. makes a base assumption that a broad risk
assessment is the least efficient way to
determine risk in a system, business segment,
application or process.
Answer: B
The Facilitated Risk Analysis Process (FRAP) makes a base
assumption that a narrow risk assessment is the most efficient way
to determine risk in a system, business segment, application or
process. The process allows organizations to prescreen applications,
systems, or other subjects to determine if a risk analysis is needed.
By establishing a unique prescreening process, organizations will be
able to concentrate on subjects that truly need a formal risk
analysis. The process has little outlay of capital and can be
conducted by anyone with good facilitation skills.

18. Setting clear security roles has the

following benefits:
A. Establishes personal accountability, reduces cross-
training requirements and reduces departmental
turf battles
B. Enables continuous improvement, reduces cross-
training requirements and reduces departmental
turf battles
C. Establishes personal accountability, establishes
continuous improvement and reduces turf battles
D. Reduces departmental turf battles, Reduces cross-
training requirements and establishes personal
accountability
Answer: C
Establishing clear, unambiguous security roles has many benefits to
the organization beyond providing information as to the
responsibilities to be performed and who needs to perform them.

19. Well-written security program policies

are BEST reviewed: A. At least annually
or at pre-determined organization changes
B. After major project implementations
C. When applications or operating systems are
updated D. When procedures need to be
modified

Answer: A
Policies should survive two or three years even though they should
be reviewed and approved at least annually.

20. An organization will conduct a risk

assessment to evaluate
A. threats to its assets, vulnerabilities not present in the
environment, the likelihood that a threat will be
realized by taking advantage of an exposure, the
impact that the exposure being realized will have on
the organization, the residual risk
B. threats to its assets, vulnerabilities present in the
environment, the likelihood that a threat will be
realized by taking advantage of an exposure, the
impact that the exposure being realized will have on
another organization, the residual risk
 C. threats to its assets, vulnerabilities present in the
environment, the likelihood that a threat will be
realized by taking advantage of an exposure, the
impact that the exposure being realized will have on
the organization, the residual risk
D. threats to its assets, vulnerabilities present in the
environment, the likelihood that a threat will be
realized by taking advantage of an exposure, the
impact that the exposure being realized will have on
the organization, the total risk

Answer: C
An organization will conduct a risk assessment (the term risk
analysis is sometimes interchanged with risk assessment) to
evaluate:

Threats to its assets

Vulnerabilities present in the environment
The likelihood that a threat will be realized by
taking advantage of an exposure (or probability and
frequency when dealing with quantitative
assessment)
The impact that the exposure being realized will have on
the organization Countermeasures available that can
reduce the threat’s ability to exploit the exposure or that can
lessen the impact to the organization when a threat is able
to exploit a vulnerability
The residual risk (e.g., the amount of risk that is left over
when appropriate controls are properly applied to lessen or
remove the vulnerability)
 An organization may also wish to document evidence of the
countermeasure in a deliverable called an exhibit or in some
frameworks this is called “evidence.” An exhibit can be used to
provide an audit trail for the organization and, likewise, evidence for
any internal or external auditors that may have questions about the
organization’s current state of risk. Why undertake such an
endeavor? Without knowing what assets are critical and which
would be most at risk within an organization, it is not possible to
protect those assets appropriately.
20. A security policy which will remain relevant and
meaningful over time includes the following:
A. Directive words such as shall, must, or will, technical
specifications and is short in length
B. Defined policy development process, short in length
and contains directive words such as shall, must or
will
C. Short in length, technical specifications and contains
directive words such as shall, must or will
D. Directive words such as shall, must, or will, defined
policy development process and is short in length

Answer: D
Technical implementation details do not belong in a policy. Policies
must be written
technology independent. Technology controls may change over time
as an organization’s risk profile changes and new vulnerabilities are
found.

21. The ability of one person in the finance department

to add vendors to the vendor database and
 subsequently pay the vendor violates which
concept?
A. A well-formed transaction
B. Separation of duties
C. Least privilege
D. Data sensitivity level

Answer: B
Separation of duties ensures fraud or other undesirable behavior
cannot occur without collusion between two or more parties. In this
example, individuals could add himself or herself as a vendor and
then pay themselves.

22. Collusion is best mitigated by:

A. Job rotation
B. Data classification
C. Defining job sensitivity level
D. Least privilege
Answer: A
Collusion involves multiple parties conspiring to perform an act
harmful to the organization. By rotating jobs, collusion becomes more
difficult as an increasing number of individuals must agree to harm
the organization.

23. Data access decisions are best made by:

A. User managers
B. Data owners
C. Senior management
 D. Application developer

Answer: B
Data owners are ultimately responsible for the information and
therefore should determine access decisions.

24. Which of the following statements BEST describes

the extent to which an organization should address
business continuity or disaster recovery planning?
A. Continuity planning is a significant organizational
issue and should include all parts or functions of the
company.
B. Continuity planning is a significant technology issue
and the recovery of technology should be its primary
focus.
C. Continuity planning is required only where there is
complexity in voice and data communications.
D. Continuity planning is a significant management issue
and should include the primary functions specified by
management.

Answer: A
Business continuity planning and Disaster recovery planning involve
the identification, selection, implementation, testing, and updating
of prudent processes and specific actions necessary to protect
critical business processes from the effects of major system and
network disruptions and to ensure the timely restoration of
business operations if significant disruptions occur.
 25. Business impact analysis is performed to BEST
identify:
A. The impacts of a threat to the organization
operations.
B. The exposures to loss to the organization.
C. The impacts of a risk on the organization.
D. The cost efficient way to eliminate threats.

Answer: B
The business impact analysis is what is going to help the company
decide what needs to be recovered and how quickly it needs to be
recovered.

26. During the risk analysis phase of the planning, which

of the following actions could BEST manage threats
or mitigate the effects of an event?
A. Modifying the exercise scenario.
B. Developing recovery procedures.
C. Increasing reliance on key individuals
D. Implementing procedural controls.

Answer: D
The third element of risk is mitigating factors. Mitigating factors are
the controls or safeguards the planner will put in place to reduce
the impact of a threat.

27. The BEST reason to implement additional controls or

safeguards is to: A. deter or remove the risk.
B. identify and eliminate the threat.
 C. reduce the impact of the threat.
D. identify the risk and the threat.

Answer: C
Preventing a disaster is always better than trying to recover from
one. If the planner can recommend controls to be put in place to
prevent the most likely of risks from having an impact on the
organization’s ability to do business, then the planner will have
fewer actual events to recover from.

28. Which of the following statements BEST describes

organization impact analysis?
A. Risk analysis and organization impact analysis are
two different terms describing the same project
effort.
B. A organization impact analysis calculates the
probability of disruptions to the organization.
C. A organization impact analysis is critical to
development of a business continuity plan.
D. A organization impact analysis establishes the effect
of disruptions on the organization.

Answer: D
All business functions and the technology that supports them need
to be classified based on their recovery priority. Recovery time
frames for business operations are driven by the consequences of
not performing the function. The consequences may be the result of
business lost during the down period; contractual commitments not
met resulting in fines or lawsuits, lost goodwill with customers, etc.
 29. The term “disaster recovery” refers to the recovery
of: A. organization operations.
B. technology environment.
C. manufacturing environment.
D. personnel environments.

Answer: B
Once computers became part of the business landscape, it quickly
became clear that we could not return to our manual processes if
our computers failed. If those computer systems failed, there were
not enough people to do the work nor did the people in the
business still have the skill to do it manually anymore. Th is was the
start of the disaster recovery industry. Still today, the term “disaster
recovery” or “DR” commonly means recovery of the technology
environment.

30. Which of the following terms BEST describes the

effort to determine the consequences of disruptions
that could result from a disaster? A. Business impact
analysis.
B. Risk analysis.
C. Risk assessment.
D. Project problem definition

Answer: A
The BIA is what is going to help the company decide what needs to
be recovered and how quickly it needs to be recovered.
 31. The elements of risk are as follows:
A. Natural disasters and manmade disasters
B. Threats, assets and mitigating controls
C. Risk and business impact analysis
D. business impact analysis and mitigating controls

Answer: B
There are three elements of risk: threats, assets, and mitigating
factors.

32. Which of the following methods is not acceptable for

exercising the business continuity plan? A. Table-top
exercise.
B. Call exercise.
C. Simulated exercise.
D. Halting a production application or function.

Answer: D
The only difference between a simulated and an actual exercise is
that the first rule of testing is the planner will never create a disaster
by testing for one. The planner must make every effort to make
certain that what is being tested will not impact the production
environment whether business or technical.

33. Which of the following is the primary desired result

of any wellplanned business continuity exercise?
A. Identifies plan strengths and weaknesses.
B. Satisfies management requirements.
 C. Complies with auditor’s requirements.
D. Maintains shareholder confidence
Answer: A
After every exercise the planner conducts, the exercise results need
to be published and action items identified to address the issues
that were uncovered by the exercise. Action items should be
tracked until they have been resolved and, where appropriate, the
plan updated. It is very unfortunate when an organization has the
same issue in subsequent tests simply because someone did not
update the plan.

34. A business continuity plan is best updated and

maintained: A. Annually or when requested by auditors.
B. Only when new versions of software are deployed.
C. Only when new hardware is deployed.
D. During the configuration and change management
process.

Answer: D
The plan document and all related procedures will need to be
updated after each exercise and after each material change to the
production, IT, or business environment.

35. Which of the following is MOST important for

successful business continuity?
A. Senior leadership support.
B. Strong technical support staff.
C. Extensive wide area network infrastructure.
 D. An integrated incident response team.

Answer: A
Without senior leadership support it is unlikely a business continuity
program will succeed.

36. A service’s recovery point objective is zero. Which

approach BEST ensures the requirement is met?
A. RAID 6 with a hot site alternative.
B. RAID 0 with a warm site alternative
C. RAID 0 with a cold site alternative
D. RAID 6 with a reciprocal agreement.
Answer: A
RAID 6 will provide a highly redundant storage situation while the
hot site will stand ready to fail over should the primary site fail.

37. The (ISC)2 code of ethics resolves conflicts between

canons by: A. there can never be conflicts between
canons.
B. working through adjudication.
C. the order of the canons.
D. vetting all canon conflicts through the board of
directors.

Answer: C
Conflicts are resolved through the order of the canons.
Domain 2 – Asset Security
1. In the event of a security incident, one of the
primary objectives of the operations staff is to
ensure that
A. the attackers are detected and stopped.
B. there is minimal disruption to the organization’s
mission.
C. appropriate documentation about the event is
maintained as chain of evidence.
D. the affected systems are immediately shut off to limit
to the impact.

Answer: B
While the operations staff may be able to detect the attack and in
some cases the attackers, there is very little that the operations
staff can do to stop them.
All actions taken by the operations staff as they respond to handle
the security incident must follow established protocols and
documented, but this is not their primary objective. The affected
systems must only be shut off after necessary data or evidence that
will be admissible in court is collected. The best answer choice is
that the operations staff must maintain operational resilience.

2. Good data management practices include:

A. Data quality procedures at all stages of the data
management process,
verification and validation of accuracy of the data,
adherence to agreed upon data management
 practices, ongoing data audit to monitor the use
and assess effectiveness of management practices
and the integrity of existing data.
B. Data quality procedures at some stages of the data
management process, verification and validation of
accuracy of the data, adherence to agreed upon data
management practices, ongoing data audit to
monitor the use and assess effectiveness of
management practices and the integrity of existing
data.
C. Data quality procedures at all stages of the data
management process, verification and validation of
accuracy of the data, adherence to discussed data
management practices, ongoing data audit to
monitor the use and assess effectiveness of
management practices and the integrity of existing
data.
D. Data quality procedures at all stages of the data
management process, verification and validation of
accuracy of the data, adherence to agreed upon data
management practices, intermittent data audit to
monitor the use and assess effectiveness of
management practices and the integrity of existing
data.

Answer: A
Data management is a process involving a broad range of activities
from administrative to technical aspects of handling data. Good data
management practices include:
 A data policy that defines strategic long-term goals and
provides guiding principles for data management in all
aspects of a project, agency, or organization.
Clearly defined roles and responsibilities for those
associated with the data, in particular of data providers,
data owners, and custodians.
Data quality procedures (e.g., quality assurance, quality
control) at all stages of the data management process.
Verification and validation of accuracy of the data.
Documentation of specific data management practices and
descriptive metadata for each dataset.
Adherence to agreed upon data management practices.
Carefully planned and documented database specifications
based on an understanding of user requirements and data to
be used.
Defined procedures for updates to the information system
infrastructure
(hardware, software, file formats, storage media), data
storage and backup
methods, and the data itself.
Ongoing data audit to monitor the use and assess
effectiveness of management practices and the integrity of
existing data. Data storage and archiving plan and testing
of this plan (disaster recovery).
Ongoing and evolving data security approach of tested
layered controls for reducing risks to data.
Clear statements of criteria for data access and, when
applicable, information on any limitations applied to data
for control of full access that could affect its use.
Clear and documented published data that is available and
useable to users, with consistent delivery procedures.
 3. Issues to be considered by the security practitioner
when establishing a data policy include:
A. Cost, Due Care and Due Diligence, Privacy, Liability,
Sensitivity, Existing Law & Policy Requirements,
Policy and Process
B. Cost, Ownership and Custodianship, Privacy,
Liability, Sensitivity, Future Law & Policy
Requirements, Policy and Process
C. Cost, Ownership and Custodianship, Privacy,
Liability, Sensitivity, Existing Law & Policy
Requirements, Policy and Procedure
D. Cost, Ownership and Custodianship, Privacy,
Liability, Sensitivity,
Existing Law & Policy Requirements, Policy and Process

Answer: D
A sound data policy defines strategic long-term goals for data
management across all aspects of a project or enterprise. A data
policy is a set of high-level principles that establish a guiding
framework for data management. A data policy can be used to
address strategic issues such as data access, relevant legal matters,
data stewardship issues and custodial duties, data acquisition, and
other issues. Because it provides a high-level framework, a data
policy should be flexible and dynamic. This allows a data policy to
be readily adapted for unanticipated challenges, different types of
projects, and potentially opportunistic partnerships while still
maintaining its guiding strategic focus. Issues to be considered
by the security practitioner when establishing a data policy
include:
 Cost – Consideration should be given to the cost of
providing data versus the cost of providing access to data.
Cost can be both a barrier for the user to acquire certain
datasets, as well as for the provider to supply data in the
format or extent requested.
Ownership and Custodianship – Data ownership should
be clearly
addressed. Intellectual property rights can be owned at
different levels; e.g. a merged dataset can be owned by
one organization, even though other organizations own
the constituent data. If the legal ownership is unclear, the
risk exists for the data to be improperly used, neglected,
or lost.
Privacy – Clarification of what data is private and what
data is to be made available in the public domain needs
to occur. Privacy legislation normally requires that
personal information be protected from others. Therefore
clear guidelines are needed for the inclusion, usage,
management, storage, and maintenance of personal
information in datasets.
Liability – Liability involves how protected an organization
is from legal recourse. This is very important in the area of
data and information management, especially where
damage is caused to an individual or organization as a
result of misuse or inaccuracies in the data. Liability is
often
dealt with via end-user agreements and licenses. A
carefully worded disclaimer statement can be included in the
metadata and data retrieval system so as to free the
provider, data collector, or anyone associated with the
dataset of any legal responsibility for misuse or inaccuracies
in the data. Sensitivity – There is a need to identify any
data which is regarded as sensitive. Sensitive data is any
data which if released to the public, would result in an
adverse effect (harm, removal, destruction) on the attribute
in question or to a living individual. A number of factors need
to be taken into account when determining sensitivity,
including type and level of threat, vulnerability of the
attribute, type of information, and whether it is already
publicly available.
Existing Law and Policy Requirements – Consideration
should be given to laws and policies related to data and
information as they apply. Existing legislation and policy
requirements may have an effect on the enterprise’s data
policy.
Policy and Process – Consideration should be given to
legal requests for data and policies that may need to be
put in place to allow for the timely processing of, and if
appropriate, response to the request. In addition, if one or
more policies already exist, then they have to be examined
and assessed to decide whether they will be sufficient, or
if they may need to be modified in some way to be fully
integrated with any new processes being created. The
policy and process used to provide access to data based
on a legal request have to be designed and implemented
in such a way that they do not violate access controls
and/or any existing policies that mandate how secure
access may be granted under such circumstances,
ensuring that only the data subject to the request is made
available, and not exposing any unrelated data.
4. The information owner typically has the following
responsibilities:
A. Determine the impact the information has on the
mission of the
organization, understand the replacement cost of the
information, determine who in the organization or
outside of it has a need for the information and
under what circumstances the information should be
released, know when the information is inaccurate or
no longer needed and should be archived.
B. Determine the impact the information has on the
mission of the organization, understand the
replacement cost of the information, determine who
in the organization or outside of it has a need for the
information and under what circumstances the
information should be released, know when the
information is inaccurate or no longer needed and
should be destroyed.
C. Determine the impact the information has on the
policies of the organization, understand the
replacement cost of the information, determine who
in the organization or outside of it has a need for the
information and under what circumstances the
information should not be released, know when the
information is inaccurate or no longer needed and
should be destroyed.
D. Determine the impact the information has on the
mission of the organization, understand the creation
cost of the information, determine who in the
organization or outside of it has a need for the
information and under what circumstances the
 information should be released, know when the
information is inaccurate or no longer needed and
should be destroyed.

Answer: B
When information is created someone in the organization must be
directly responsible for it. Often this is the individual or group which
created, purchased or acquired the information to support the
mission of the organization. This individual or group is considered
the “information owner.” The information owner typically has the
following responsibilities:

Determine the impact the information has on the mission

of the organization.
Understand the replacement cost of the information (if it
can be replaced). Determine who in the organization or
outside of it has a need for the information and under what
circumstances the information should be released. Know
when the information is inaccurate or no longer needed and
should be destroyed.
5. QA/QC mechanisms are designed to prevent data
contamination, which occurs when a process or
event introduces either of which two fundamental
types of errors into a dataset: (Choose TWO)
A. Errors of commission
B. Errors of insertion
C. Errors of omission D. Errors of creation

Answer: A | C
QA/QC mechanisms are designed to prevent data contamination,
which occurs when a process or event introduces either of two
fundamental types of errors into a dataset:

Errors of commission include those caused by data entry or

transcription, or by malfunctioning equipment. These are
common, fairly easy to identify, and can be effectively
reduced up front with appropriate QA mechanisms built
into the data acquisition process, as well as QC procedures
applied after the data has been acquired.
Errors of omission often include insufficient documentation
of legitimate data values, which could affect the
interpretation of those values. These errors may be harder
to detect and correct, but many of these errors should be
revealed by rigorous QC procedures.

6. Some typical responsibilities of a data custodian may

include: (Choose
A
L
L
t
h
a
t
a
p
p
l
y
)

A. Adherence to appropriate and relevant data policy

and data ownership guidelines.
 B. Ensuring accessibility to appropriate users,
maintaining appropriate levels of dataset security.
C. Fundamental dataset maintenance, including but not
limited to data storage and archiving.
D. Assurance of quality and validation of any additions
to a dataset, including periodic audits to assure
ongoing data integrity.

Answer: A | B | C | D (all of the above)

Data custodians are established to ensure that important datasets
are developed, maintained, and are accessible within their defined
specifications. Designating a person or role as being charged with
overseeing these aspects of data management helps to ensure that
datasets do not become compromised. How these aspects are
managed should be in accordance with the defined data policy
applicable to the data, as well as any other applicable data
stewardship specifications. Some typical responsibilities of a data
custodian may include:

Adherence to appropriate and relevant data policy and data

ownership guidelines
Ensuring accessibility to appropriate users, maintaining
appropriate levels of dataset security
Fundamental dataset maintenance, including but not
limited to data storage and archiving
Dataset documentation, including updates to
documentation
Assurance of quality and validation of any additions to a
dataset, including periodic audits to assure ongoing data
integrity
 7. The objectives of data documentation are to:
(Choose ALL that apply) A. Ensure the longevity of
data and their re-use for multiple purposes
B. Ensure that data users understand the content
context and limitations of datasets
C. Facilitate the confidentiality of datasets
D. Facilitate the interoperability of datasets and data
exchange

Answer: A | B | D
Data documentation is critical for ensuring that datasets are useable
well into the future. Data longevity is roughly proportional to the
comprehensiveness of their documentation. All datasets should be
identified and documented to facilitate their subsequent
identification, proper management and effective use, and to avoid
collecting or purchasing the same data more than once. The
objectives of data documentation are to:

Ensure the longevity of data and their re-use for

multiple purposes Ensure that data users understand
the content context and limitations of datasets
Facilitate the discovery of datasets
Facilitate the interoperability of datasets and data
exchange

8. Benefits of data standards include:

A. more efficient data management, decreased data
sharing, higher quality data, improved data
consistency, increased data integration, better
 understanding of data, improved documentation
of information resources
B. more efficient data management, increased data
sharing, higher quality data, improved data
consistency, increased data integration, better
understanding of data, improved documentation
of information resources
C. more efficient data management, increased data
sharing, medium quality data, improved data
consistency, decreased data integration, better
understanding of data, improved documentation
of information resources
D. more efficient data management, increased data
sharing, highest quality data, improved data
consistency, increased data integration, better
understanding of data, improved documentation
of information metadata

Answer: B
Data standards describe objects, features, or items that are
collected, automated, or affected by activities or the functions of
organizations. In this respect, data need to be carefully managed
and organized according to defined rules and protocols. Data
standards are particularly important in any situations where data
and information need to be shared or aggregated. Benefits of data
standards include:
 more efficient data management (including
updates and security) increased data sharing
higher quality data improved data consistency
increased data integration better
understanding of data
improved documentation of information resources

9. When classifying data, the security practitioner

needs to determine the following aspects of the
policy: (Choose ALL that apply)
A. who has access to the data
B. what methods should be used to dispose of the data
C. how the data is secured
D. whether the data needs to be encrypted

Answer: A | B | C | D (all of the above)

Data classification entails analyzing the data that the organization
retains, determining its importance and value, and then assigning it
to a category. Data that is considered “secret” whether contained in
a printed report or stored electronically needs to be classified so
that it can be handled properly. IT administrators and security
administrators can guess how long data should be retained and how
it should be secured, but unless the organization has taken the time
to classify its data, it may not be secured correctly or retained for
the required time period.
When classifying data, the security practitioner needs to determine
the following aspects of the policy:

1. Who has access to the data? Define the roles of people

who can access the data. Examples include accounting
 clerks who are allowed to see all accounts payable and
receivable but cannot add new accounts, and all
employees who are allowed to see the names of other
employees (along with managers’ names, and
departments, and the names of vendors and contractors
working for the company). However, only HR employees
and managers can see the related pay grades, home
addresses, and phone numbers of the entire staff. And
only HR managers can see and update employee
information classified as private, including Social Security
numbers (SSNs) and insurance information.
2. How the data is secured. Determine whether the data is
generally available or, by default, off limits. In other
words, when defining the roles that are allowed to have
access, you also need to define the type of access—view
only or update capabilities—along with the general access
policy for the data. As an example, many companies set
access controls to deny database access to everyone
except those who are specifically granted permission to
view or update the data.
3. How long the data is to be retained. Many industries
require that data be retained for a certain length of time.
For example, the finance industry requires a seven-year
retention period. Data owners need to know the
regulatory requirements for their data, and if
requirements do not exist, they should base the retention
period on the needs of the business.
4. What method(s) should be used to dispose of the data?
For some data classifications, the method of disposal will
not matter. But some data is so sensitive that data
owners will want to dispose of printed reports through
 cross-cut shredding or another secure method. In
addition, they may require employees to use a utility to
verify that data has been removed fully from their PCs
after they erase files containing sensitive data to address
any possible data remanence issues or concerns.
5. Whether the data needs to be encrypted. Data owners
will have to decide whether their data needs to be
encrypted. They typically set this requirement when they
must comply with a law or regulation such as the
Payment Card Industry Data Security Standard (PCI-
DSS).
6. What use of the data is appropriate? This aspect of the
policy defines whether data is for use within the
company, is restricted for use by only selected roles, or
can be made public to anyone outside the organization.
In addition, some data has legal usage definition
associated with it. The organization’s policy should spell
out any such restrictions or refer to the legal definitions
as required.

Proper data classification also helps the organization comply with

pertinent laws and regulations.

10. The major benefit of information classification is to

A. map out the computing ecosystem
B. identify the threats and vulnerabilities
C. determine the software baseline
D. identify the appropriate level of protection needs

Answer: D
 Information classification refers to the practice of differentiating
between different types of information assets and providing some
guidance as to how classified information will need to be protected.
Vulnerability scans can be used to map out the computing
ecosystem. Threat modeling is used to identify threats and
vulnerabilities. Configuration management can be used to
determine the software baseline.

11. When sensitive information is no longer critical but

still within scope of a record retention policy, that
information is BEST
A. Destroyed
B. Re-categorized
C. Degaussed D. Released

Answer: B
Information categorization also includes the processes and
procedures to lower the sensitivity label of information. For
example, declassification may be used to downgrade the sensitivity
of information. Over the course of time, information once
considered sensitive may decline in value or criticality. In these
instances, declassification efforts should be implemented to ensure
that excessive protection controls are not used for non-sensitive
information. When declassifying information, marking, handling,
and storage requirements will likely be reduced. Organizations
should have categorization or declassification practices well
documented for use by individuals assigned with the task.
Information may still be needed and so it cannot be destroyed,
degaussed, or deleted.
 12. What are the FOUR phases of the equipment
lifecycle?
A. Defining requirements, acquiring and implementing,
operations and maintenance, disposal and
decommission
B. Acquiring requirements, defining and implementing,
operations and maintenance, disposal and
decommission
C. Defining requirements, acquiring and maintaining,
implementing and operating, disposal and
decommission
D. Defining requirements, acquiring and implementing,
operations and decommission, maintenance and
disposal

Answer: A
The following illustrates common activities that the information
security professional should engage in throughout the equipment
lifecycle:

Defining Requirements
Ensure relevant security requirements are included in
any specifications for new equipment
Ensure appropriate costs have been allocated for
security features required
Ensure new equipment requirements fits into the
organizational security architecture
Acquiring and Implementing
Validate security features are included as specified
Ensure additional security configurations, software
and features are applied to the equipment
 Ensure the equipment is followed through any
security certification or accreditation process as
required Ensure the equipment is inventoried
Operations and Maintenance
Ensure the security features and configurations
remain operational
Review the equipment for vulnerabilities and mitigate
if discovered
Ensure appropriate support is available for security
related concerns
Validate and verify inventories to ensure equipment is
in place as intended
Ensure changes to the configuration of the system
are reviewed through a security impact analysis and
vulnerabilities are mitigated
Disposal and Decommission
Ensure equipment is securely erased and then either
destroyed or recycled depending on the security
requirements of the organization
Ensure inventories are accurately updated to reflect
the status of decommissioned equipment

13. Which of the following BEST determines the

employment suitability of an individual?
A. Job rank or title
B. Partnership with the security team
C. Role
D. Background investigation
Answer: D
A background investigation relevant to the role, job or access is the
best approach for minimal security problems. While a background
investigation will not guarantee the integrity or honesty of an
individual it will give the organization a glimpse into the history of
an individual and references.

14. The best way to ensure that there is no data

remanence of sensitive information that was once
stored on a DVD-R media is by
A. Deletion
B. Degaussing
C. Destruction D. Overwriting

Answer: C
Optical media such as CDs and DVD must be physically destroyed to
make sure that there is no residual data that can be disclosed. Since
the media mentioned in this context is a read-only media (burn-
once) DVD, the information on it cannot be overwritten or deleted.
Degaussing can reduce or remove data remanence in magnetic non-
optical media.
15. Which of the following processes is concerned with
not only identifying the root cause but also
addressing the underlying issue?
A. Incident management
B. Problem management
C. Change management D. Configuration management

Answer: B
 While incident management is concerned primarily with managing
an adverse event, problem management is concerned with tracking
that event back to a root cause and addressing the underlying
problem. Maintaining system integrity is accomplished through the
process of change control management. Configuration management
is a process of identifying and documenting hardware components,
software, and the associated settings.

16. Before applying a software update to production

systems, it is MOST important that
A. Full disclosure information about the threat that the
patch addresses is available
B. The patching process is documented
C. The production systems are backed up
D. An independent third party attests the validity of the
patch

Answer: C
Prior to deploying updates to production servers, make certain that
a full system backup is conducted. In the regrettable event of a
system crash, due to the update, the server and data can be
recovered without a significant loss of data. Additionally, if the
update involved propriety code, it will be necessary to provide a
copy of the server or application image to the media librarian. The
presence or absence of full disclosure information is good to have
but not a requirement as the patching process will have to be a
risk-based decision as it applies to the organization. Documentation
of the patching process is the last step in patch management
processes. Independent thirdparty assessments are not usually
related to attesting patch validity